On security, should the media be harder on Microsoft than Firefox?

Summary:My fellow ZDNet blogger George Ou has raised an interesting question about the way the press handles security flaws in Internet Explorer (IE) versus the way it covers the same thing for Firefox. In using just the past couple headlines for each of the browsers (from two news sources) as proof points, the evidence is very anecdotal.

My fellow ZDNet blogger George Ou has raised an interesting question about the way the press handles security flaws in Internet Explorer (IE) versus the way it covers the same thing for Firefox. In using just the past couple headlines for each of the browsers (from two news sources) as proof points, the evidence is very anecdotal. But I suspect that it is indeed quite projectable into the past. As a tech journalist for 15 years, Ou's blog caused me to stop and ask myself whether there's a double standard when I write about Microsoft and if so, is that so wrong?

I think the question can actually be broken down into two questions. First, should we expect more from Microsoft than, say, Mozilla.org? Second if we should, then should we also be harder on Microsoft when it doesn't meet those expectations?

Should we expect more from Microsoft? Is it fair to be more critical of the company that made the riskiest choices? And not just more than Mozilla but plenty of other companies as well. I'd argue yes, but probably not for the reasons that most would. The most obvious reason to expect more from Microsoft is that the company -- flush with cash -- appears to have unlimited resources. The implication is that there are no excuses. There's no reason that Microsoft can't hire the best programmers in the entire world (with the exception of a few very principled people, everyone has a price) and there's no reason Microsoft can't hire them in whatever quantity is necessary to make these problems go away. These too me are not reasons to expect more from Microsoft.

So what are?

For starters, if you're a product manager in Microsoft working on any product, you may feel slighted by such double standards. But should Microsoft really feel badly that it's being subjected to such a double standard? Or, should a Microsoft executive feel justified in complaining about being held to a double standard? In my recollection, this hasn't happened. Raising the question of a double standard for double standards, I'm willing to bet that Microsoft, like most companies, applies a double standard to itself. What company doesn't? If I'm Bill Gates or any other manager in Microsoft, you can bet that I'm not only trying to hire the very best people, I'm also holding them to a higher standard than I hold my competition. That sort of demanding environment -- an environment with far less tolerance for mediocrity -- is what makes some companies great.

Back in 1992, about a year after I first start cutting my tech journalism teeth, my partner blogger Dan Farber took over the reigns as editor-in-chief of the publication I was working for (PC Week). From the getgo, it was quite clear to me (because of the number of times he beat me up over something my team was about to publish) that he was holding us to a different standard than the rest of the industry was held to. At times, the criticism was harsh. But the result was that we started using the performance of other publications to benchmark our performance and to make sure that no matter what, we were coming out on top. Were we doing more reviews? (I was the director of the testing labs.) Were the products being reviewed and the context in which they were reviewed more aligned with the target audience's information needs than were reviews at other publications? Were we doing a better job putting those reviews in a comparative context given what else was on the market or were we reviewing each product in a bubble as though there were no alternatives (what IT buyer thinks this way?). Like a little devil on my shoulder, the double standard caused me to think and rethink everything I did.

That's probably why you don't hear Microsoft's executives complaining too often about double standards in the press. Given that Microsoft is holding itself to different standards, complaining about the press doing the same would itself be a double standard.

There's another reason that we may be justified in expecting more from Microsoft. While not all security problems with Internet Explorer are related to its underlying pipeline into Windows (ActiveX), a good many have been. ActiveX (which has had so many names I can 't even keep track of them all) has long been a fundamental architectural choice of Microsoft's. On the one hand, it facilitates so much functionality and reduces the friction to integration between software components within the operating system. On the other, when you pave such superslabs for software connectivity, you simply can't trust everyone to drive according to the rules of the road. So, if Microsoft opens the highway and then builds an application (IE) that uses it (two separate choices), and then stands by those choices as though they're company religion, does there come a point (in terms of the price users repeatedly pay because of those choices) at which the press is more justified in the usage of more inflammatory headlines?

In Firefox, Mozilla.org's developers made different architectural choices from those made at Microsoft. To the extent that those choices contribute to how vulnerable Firefox users are, Mozilla.org is definitely on the hook to make sure those choices don't needlessly expose end users to those with malicious intent. Yes. More so than other vulnerabilities. Even though those other vulnerabilities can ultimately be traced back to a choice -- a choice that was made by some programmer -- choosing an overall architecture that can leave end users exposed means higher stakes and, thusly, higher standards.

In the mashup ChicagoCrime.org, Adrian Holovaty, who won second place at Mashup Camp's Best Mashup Contest, programmed the ability for end users to check the footpath that they or their kids might be taking to get to work, mass transit, or the school bus stop for crime frequency. If one path cuts through a bad neighborhood and alleyways where crimes are more likely to take place and the other one by sheer volume of pedestrian traffic is statistically and intuitively safer, which one do you send your kids on.

There may be some convenience in sending your kids through the dangerous neighborhood and alleyways. Perhaps it shaves 20 minutes off the time it takes them to get to school (trust me, as a parent of three children, I can tell you that 20 minutes is a big deal in the morning). But if you know the risks, you're also responsible for securing the route. For example, going with them. When was the last time you saw a bunch of six-year olds standing by themselves on the street corner (with no adults) waiting for the school bus?

I can remember when Java first started to make the headlines. There was a browser called HotJava that was built entirely on top of Java and back then, Java was famed for its sandbox -- a software firewall that cut-off any code running inside the Java Virtual Machine from the outside world ("outside" meaning a host operating system such as Windows). As a result, applications that ran on Java (like HotJava) were fully secured from operating system in a way that using the Web couldn't result in harm to the host system (eg: the surreptitious loading of malware). I'm sure the developers of HotJava will differ with this opinion; but so limiting in functionality and slow was the HotJava browser that it completely disappeared off the landscape.

Against the wishes of Sun, Microsoft introduced a Windows-specific version of the Java Virtual Machine that broke a hole through the sandbox wall thereby affording Java developers some access to the utilities in Windows. The same sort of access that Internet Explorer has. Legally, that choice ended up costing Microsoft $1.95 billion. But technically, Microsoft was onto something. Over the years, the Java Virtual Machine has taken on increased degrees of connectivity to the host operating system to enable specific types of functionality that certain applications can't do without: for example local file-system access. Not surprisingly, the more that the sandbox has been opened up to the host operating system over the years, the more Sun has ended up having to issue security fixes. This past February, News.com's Dawn Kawamoto reported:

Sun Microsystems issued a patch Tuesday to address seven "highly critical" flaws in its Java Runtime Environment that could allow a malicious attacker to gain remote control over a user's system.... These latest flaws are found in one of the JRE's application programming interfaces, or API, which communicate between the sandbox and the rest of the system. The flaws could be exploited by attackers to gain remote access to a user's Java applications, allowing them to read and write files or execute code.

Ironically, or maybe not, Sun and Microsoft are moving closer to a central point between the extremes from which they came a long time ago (Microsoft with its largely unguarded ActiveX highways and Sun with designed-with-security-in-mind-from-the-ground-up platforms). On one hand is Sun building whatever bidirectional pathways are necessary between various Java Runtime Environments and the platforms they're adapted to (computers, phones, set top boxes, etc.) to deliver more functionality. On the other hand is Microsoft with Internet Explorer, which over the years has been had its screws increasingly tightened to the point that in the name of security, IE7 will not be the fully uninterrupted experience that IE once was. The point is that security has always been at odds with functionality. To get more function, just about all software ends up risking a bit of security. And, no matter how methodical a company is, and despite its truest intentions, developing perfectly secure software isn't that easy. So far no one has done it out of the gate with anything but the simplest (and often useless) products.

So, if most software is starting to gravitate to some sweet spot where the trade-off between functionality and security is relatively close, but they originated from different points that can be traced to choice and culture, is it fair to be more critical of the company that made the riskiest of those choices at the beginning? Especially since that choice is being somewhat legitimized by the direction that the company that made the most conservative choice is taking?